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(54) Layer-independent security for communication channels 



(57) A method and apparatus lor providing layer-in- 
dependent secure network communication is provided. 
According to an embodiment of the invention, a trans- 
mission medium is provided between a first networK 
node and a second network node. Both the first networK 
node and the second network node support at least one 
common communication protocol. A Java output stream 
is established between a first process executing on the 



first network node and the transmission medium Also, 
a Java input stream is established between a second 
process executing on the second muttilayered node and 
the transmission medium Data to be transmitted from 
the first process to the second process is encrypted by 
the first process and written to the Java output stream. 
The data is transmitted to the second network node. 
Then the data is read from the Java input stream by the 
second process and decrypted. 
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Description 

FIELD OF THE INVENTION 

The invention relates to data security, and more 5 
specifically, to a method and apparatus tor providing lay- 
er-independent security in network communications. 

BACKGROUND OF THE INVENTION 

70 

Some communication networks, particularly complex 
ones support multiple communication protocols or "lay- 
ers." Each layer specifies some functionality or " service* 
ol the network and interacts with the layers immediately 
above and below, using services of the layer immediately t£ 
below, while providing sen/ices to the layer immediately 
above. The lowest layer in a communication network typ- 
ically governs direct communication between the hard- 
ware at different network nodes, white the highest layer 
handles direct communication with application programs ?° 
executing on the network nodes 

The layered approach to implementing communica- 
tion networks simplifies the creation and modification of 
complex communication architectures by providing for 
incremental changes on a laycr-by-laycr basis which 2$ 
are transparent to other layers in the architecture. Two 
examples of layered communication protocols are the 
Transmission Control Protocol/Internet Protocol (TCP/ 
IP) which has five layers, and the International Stand- 
ards Organi7ai ion's (ISO) Open Systems Interconnec- 30 
tion (OSI) Reference Model (RM), which has seven lay- 
ers. 

The proliferation of communication networks and 
increased frequency ol security breaches has under- 
scored the importance of providing secure network com- 3$ 
munications. Many communication networks depend 
upon a secure communication connection or " channel" 
to maintain security. In the context of secure communi- 
cation networks, a secure communication channel is a 
connection which provides tor the encryption, authenti- -to 
cation or otherwise secure transmission ol data be- 
tween network nodes. 

Sometimes, setup negotiation is used to establish 
security tor a communication channel In the context ot 
network communications, setup negotiation refers to •*& 
specifying and agreeing to the details about security for 
a communication channel, such as the details ot a par- 
iiculai encryplion scheme to be used. Once setup ne- 
gotiation is complete, atl communication during the ses- 
sion conforms to the agreed upon security protocol. 50 
which provides secure communication 

Setup negotiation is an effective tool for providing 
secure communication during a communication ses- 
sion. However when the amount of information included 
in each session is small, tor example when a session 55 
contains only a single message, then the overhead at- 
tributable to setup negotiation can adversely affect com- 
munication performance Moreover, some communica- 
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tion architectures do not include a session layer which 
requires that a session layer be added to support ses- 
sion type security, further degrading performance 

Another approach tor providing a secure communi- 
cation channel involves encrypting or encocmc data at 
a specific layer on a transmitting network node and then 
decrypting or decoding the data at a corresponding layer 
on a destination network node Encrypting data at a spe- 
cific layer typically involves applying an encryption algo- 
rithm based upon the formal of data at a particular layer 
Header data added by higher layers is aiso encrypted 
Layer-specific encryption is particularly useful in data- 
gram-based or packet-based networks which are typi- 
cally sessionless and encapsulate data in datagram 
packets or some other type ot data packet. For example, 
header data may be added to a data packet so that the 
data packet conforms to a particular tormat. This ap- 
proach also provides tor multiple encryptions to be per- 
formed at different layers. 

Although layer-specific encryplion can provide a se- 
cure communication channel while avoiding the ovei- 
head penalty associated with setup negotiation, it does 
have several limitations. First, all encryption and decryp- 
tion must occur at the same corresponding layer on both 
the transmitting and receiving network nodes, according 
to the specific protocol supported by that layer. For ex- 
ample, Simple Key Management tor Internet Protocols 
(SKIP) is designed to be used with internet protocol 
packets at the network layer, which requires internet lay- 
er specific function calls On the olher hand. Netscape 
Communications Corporation's Secure Sockets Layer 
(SSL) is designed to be used at the (Unix) socket layer 
and requires socket layer-specific function calls to en- 
crypt and decrypt data. The result is that one application 
implementing security according to SKIP cannot interact 
with another application implementing security accord- 
ing to SSL. 

In addition, layer-specific encryption can be difficult 
to employ in object-oriented environments because ol 
the inherent level of abstraction required. For example, 
some layers operate on data bytes, which often is a 
much lower level than objects in an object oriented en- 
vironment. 

in view ot both the need to provide secure commu- 
nication channels and the limitations in the prior ap- 
proaches, an approach for providing a secure commu- 
nication channel which does not rely upon layer-specific 
encryption and which does nol require setup negotiation 
is highly desnable 

SUMMARY OF THE INVENTION 

According to one aspect of the invention, a method 
provides communication protocol-independent security 
tor oata transmitted between a first process, executing 
on a first network node, and a second process, execut- 
ing on a second network node Both the first network 
node and the second network node each support at 
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least one common communication protocol. According 
to the method a communication channel is established 
between the first network node and the second networK 
node. Then, a tirst stream is established between the 
first process and the communication channel. 

In the context ol the invention, a " stream" is an ab- 
straction which refers to the transfer or " flow" of data, 
in any format, from a single source, to a single destina- 
tion. A stream typically flows through a channel or con- 
nection Detween the sender and receiver, in contrast to 
data packets, which are typically individually addressed 
and which may be routed independently to multiple re- 
cipients. Hence, an application can write data to, or read 
data from, a stream without knowing the actual destina- 
tion or source, respectively, of the data 

Atter the first stream is established between thetirst 
process and the communication channel, a second 
stream is established between the second process and 
the communication channel. Data to be transmitted be- 
tween the ftrsi and second processes is encrypted. The 
enciyption of Ihe data is independent of the communi- 
cation protocol supported by the tirst network node. The 
encrypted data is then written to the first stream which 
causes the encrypted data to be transmitted from the 
first network node to the second network node The en- 
crypted data ts read from the second stream and then 
decrypted to obtain decrypted data which ts identical to 
the data on the first network node before the data was 
encrypted 

BRIEF DESCRIPTION OF THE DRAWINGS 

The invention is illustrated by way of example, and 
not by way of limitation, in the figures of the accompa- 
nying drawings and in which like reference numerals re- 
fer to similar elements and in which: 

Figure 1 is a block diagram of a multi-layered com- 
munication network according to an embodiment ol 
the invention 

Figure 2 is a block diagram of a multi-layered com- 
munication network according to another embodi- 
ment of the invention: 

Figure 3 illustrates a stream format according to an 
embodiment ol the invention: 
Figure 4 is a flow chart illustrating a method for pro- 
viding layer-independent secure communication in 
a mulli-layeied communication network accoidmg 
to an embodnnent ol tne invention 
Figure 5 is a block diagram of a Java secure chan- 
nel arrangement according to an embodiment ol the 
invention: and 

Figure 6 is a block diagram ol a computer system 
on which Ihe inveniion may be implemented. 
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DETAILED DESCRIPTION OF THE PREFERRED 
EMBODIMENT 

A method and apparatus lor providing layer-snde- 
5 pendent secure communications in a multi-layered com- 
munication network is described In the following de- 
scription, tor the purposes of explanation, numerous 
specific details are set forth in order to provide a thor- 
ough understanding of the invention. However, the in- 
to vention may be practiced without these soecitic details 
In other instances, well-known structures and devices 
are illustrated in block diagram form in order to avoid 
unnecessarily obscuring the invention 

is FUNCTIONAL OVERVIEW 

The invention provides a method and apparatus tor 
providing layer-independent secure communications in 
a multi-layered communication network. In general, a 

20 communicalion channel or connection is first estab- 
lished between a tirst mulli-layeied network node and a 
second multi-layered network node. Then, a first stream 
is established between a tirst process, executing on the 
first multi-layered network node, and the communication 

2B channel. A second stream is then established between 
a second process, executing on the second multi-lay- 
ered network node and the communication channel 
Then, the tirst process perlorms a layer-independent 
encryption of data to be transmitted between the first 

30 and second multi-layered network nodes and then 
writes the encrypted data to the first stream, which caus- 
es the encrypted data to be transmitted to the second 
multi-layered network node. Then, the encrypted data 
is read by the second process from the second stream 

3£ and decrypted so that the decrypted data is identical to 
the data on the first multi-layered network node prior to 
being encrypted 

Figure i illustrates a multi-layered communication 
network 100 to which the invention is applicable In gen- 

-to eral. multi-layered communication network 1 00 includes 
multi-layered nodes 102. 104. communicatively coupled 
by transmission medium 106. Although multi-layered 
communication network 100 may resemble the Interna- 
tional Standards Organization (ISO) Open Systems In- 

-*s terconnection (OSI) Reterence Model (RM). the inven- 
tion is applicable to any multi-layered communication 
network. 

Apiocess 106 executes on multi-layered node 102 
while a piocess 110 executes on multi-layeied node 

so 104. Multi-layered node 102 supports a multi-layered 
communication hierarchy 11 2. where each identified 
layer supports a particular communication protocol 
Each layer tn hierarchy 1 1 2 otters certain services to the 
higher layers while shielding the higher layers trom the 

ss details of how those services are actually implemented 
Muili-layered node 104 also supports a multi-layered 
communication hierarchy 114, which includes layer cor- 
responding to the layers in hierarchy 112 All data trans- 
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mined trom process 108 to transmission medium 106 
conlorms to all communication protocols supported by 
hierarchy 112 

For example, to transmit data 116 trom process 106 
to transmission medium 106. data 116 must first con- 
lorm to an application protocol specified by application 
layer 118 on multi-layered node 102. According to one 
embodiment of the invention, this requires that data 116 
be formatted according to application layer 116 protocol 
and that an application protocol header AH be append- 
ed to the front end of data 1 1 6 which specifies the format 
of data 116. 

This process is repeated lor each layer in hierarchy 
112. According to one embodiment of the invention, the 
formatting of data 116 according to a data link layer 120 
involves the addition of both a header portion DH and a 
trailer ponton DT to a data portion 122. It should be not- 
ed that data link layer 120 is not aware of which portion 
o1 data portion 122 corresponds to data 116 and which 
portion represents formatting information of higher lay- 
ers. Data link layer 1 20 formats the entire data portion 
122 without regard to which portion may be 'real* data 
116 and which portion is formatting information added 
by higher layers in hierarchy 112. 

When messages arc received by multi-layered 
node 104 trom transmission medium 106, a reverse 
process occurs. Since messages must conform to ap- 
plication layer protocol before being processed by proc- 
ess 110 any formatting information attributable to layers 
below application layer 128 must be removed 

As previously discussed, one approach for provid- 
ing secure communication between process 108 and 
process 110 is to have processes 106, 110 perform set- 
up negotiation prior to transmitting data. However, this 
approach can adversely affect data throughput, partic- 
ularly when the setup negotiation is performed on a 
packet-by-packet basis. 

Another previously discussed approach is to en- 
crypt the data at one of the layers in hierarchy 112 on 
multi-layered node 102 before transmitting the data on 
transmission medium 1 06. Then, after the encrypted da- 
ta is received on node 104. the data is decrypted al the 
corresponding layer in hierarchy 114 on multi-layered 
node 104 before the data is received by process 110. 
For example, data may be encrypted at the network lay- 
er 1 24 on multi-layered node 102 and then decrypted at 
neiwork layer 126 on multi-layered node 104 on a pack- 
et-by-packel basis. Although this approach is robusl 
fiom a security standpoint, the data must be decrypted 
at the same layer at which the data was encrypted 

LAYER-INDEPENDENT SECURITY 

An approach which provides layer-independent se- 
cure network communication m a multi-layered commu- 
nication network according to an embodiment of the in- 
vention is illustrated by the block diagram of Figure 2 A 
multi-layered communication network 200 includes mul- 



ti-layered nodes 202, 204 which are communicatively 
coupled by a transmission medium 206 A process 208 
executes on multi-layered node 202 while a process 21 0 
executes on multi-layereo node 204 

5 Multi-layered nodes 202. 204 each supDort one or 
more communication layers (protocols) including socket 
layers 212. 214. respectively. Socket layers 212. 214 
provide an interlace between processes 206, 210. re- 
spectively and transmission medium 206 Multi-layered 

jo nodes 202. 204 may support addition layers (not illus- 
trated) both above and below socket layers 212. 214 
Accordingly socket layers 212. 214 each include sock- 
ets (not illustrated): which are end points similar to an 
OSI Transport Service Access Point (TSAP), and which 

is provide a connection between layers above and below 
socket layers 21 2. 214 In addition, a Java secure chan- 
nel 216 is provided between node 202 and node 204. 
Java security channel 216 provides for the layer-inde- 
pendent encryption of high level data constructs such 

20 as objects. 

Geneially, according to an embodiment ol the in- 
vention, layer-independent security for communications 
between process 206 and process 210 is provided by 
process 206 encrypting data which is then written to a 

25 Java output stream 216. A Java stream is a stream 
which provides tor the transfer of low level data con- 
structs such as bytes as well as high level data con- 
structs, such as serialized objects, between a source 
and a destination Tne data is then conformed to a sock- 

30 et layer protocol by socket layer 212 and written to trans- 
mission medium 206. The data is then processed ac- 
cording to socket layer protocol by socket layer 214 and 
read trom a Java input stream 220 by process 210 and 
finally decrypted by process 210. 

3S Encryption of stream data according to embodi- 
ments of the invention is by definition layer-independent 
and provides a level of abstractness which is compatible 
with many abstract processes and languages which 
support streams such as object oriented languages. 

•to Besides the layer-independent data encryption per- 
formed by process 208, additional (layer-dependent) 
encryption may be provided at any layer in node 202. 
with decryption being performed at the corresponding 
peer layer in node 204. 

The data format ot object output stream 218 and 
object input stream 220 is illustrated in Figure 3. Gen- 
erally, stream format 300 is an abstract message format 
which is sell-contained and layer -independent. Stieam 
format 300 includes 1 to N variable length messages 

so (Ml. M2... Mn). Each message (Ml. M2 ... Mn) includes 
a heaoer portion {Hi, H2 ...Hn) and a data portion 
(DATA1. DATA2 . ..DATAn). According to one embodi- 
ment of the invention, each header portion (Hi, H2 . 
Hn) specifies the length ot the associated data portion 

55 (Dl . D2 . Dn) and also includes encryption key/authen- 
tication information which eliminates the need for setup 
negotiation However, certain encryption key/authenti- 
cation information is established once during system 
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setup so thai recipients of the messages (Ml . M2...Mn) 
can aecrypt data contained in the data portion (Dl . D2 
Dn) of each message (M1 M2...Mn) 

The flexibility of stream lormat 300 ol the invention 
provides for the implementation ol various encryption/ 5 
authentication approaches and is not limited to the par- 
ticular encryption/authentication approach described 
herein. In addition, since stream format 300 is layer in- 
dependent, various data formats may be employed with- 
out departing from the scope ol the invention. 10 

The specific steps lor providing layer-independent 
secunty of network communication according to an em- 
bodiment ol the invention are now described with refei- 
ence to both the block diagram of Figure 2 and the flow 
chart of Figure 4. Generally, the steps are described in 
the context ot an object onented programming method 
associated with an object, contained in process 206. 
which invokes a method associated with a remotely lo- 
cated object contained in process 210. In the non-object 
oriented context, this is very similar to process 208 is- 20 
suing a lemote piocedurecall (RPC)to invoke a process 
remotely located on multi-layered node 204. For purpos- 
es ot explanation, the data transmitted by the method 
associated with the object contained in process 208 
which invokes the method associated with the remotely 2$ 
local ed object contained in process 210 is hereinafter 
referred to as the ' object data • 

After starting in step 400, in step 402. mutt i-taye red 
nodes 202. 204 establish an encryption/authentication 
approach during system setup Unlike traditional setup so 
negotiation which must be continuously re-negotiated, 
such as on a per session basis, the agreed upon en- 
cryption/authentication approach established between 
multi-layered noaes 202, 204 only needs to be set up 
once during system setup, or when either multi-layered 35 
node 202. 204 is connected to another node and the 
security techniques described herein are to be em- 
ployed with that other node 

In step 404, a Java secure channel 216 is estab- 
lished between node 202 and node 204. According to 
one embodiment ot the invention. Java secure channel 
216 is an object class which is defined and invoked by 
process 208. 

In step 406, object output stream 218 is established 
between process 206 and socket layer 212. and in step 
408. object input stream 220 is established between 
socket layer 21 4 and process 210. According to one em- 
bodiment of the invention, object output stream 21 6 is 
an object class defined by process 206 while object in- 
put stream 220 is an object class defined by process 
210. 

In step 410. the object data to be transmitted from 
process 208 to process 21 0 is serialized, sometimes re- 
ferred to as " flattening the object," and then encrypted 
in step 412 based upon the encryption/authentication 
approach established in step 402. 

In step 414. the object data (serialized and encrypt- 
ed) is written to object output siream 216. which is re- 



ceived by socket layer 21 2 and tormatied according to 
socket layer protocol. In step 416. the object data is 
transmitted Irom socket layer 212 ot mululayered node 
202 to socket layer 214 of multi-layered node 204 over 
transmission medium 206. 

As previously discussed, multi-layered node 202 is 
illustrated as having a single layer, socket layer 212. 
while mufti-layered node 204 is illustrated as having a 
single layer, socket layer 214 : for purposes of explana- 
tion. However, multi-layered nodes 202. 204 may be 
multi-layered and contain other layers above and below 
socket layers 212. 214. Consequently, although accord- 
ing to an embodiment ol the invention, the object data 
is transmitted onto transmission medium 206 in the for- 
mat illustrated in Figure 3. it is understood that additional 
tormattmg ot the object data may be performed accord- 
ing to various other communication protocols contained 
in multi-layered nodes 202, 204. For example, if multi- 
layered node 202 also supports Internet protocol (IP), 
then each message (Ml. M2...Mn) illustrated in Figure 
3 would also contain IP header infoimation 

After the object data is received by socket layer 214, 
the object data is read from object input stream 220 by 
process 210 in step 418. In step 420. the object data is 
decrypted according to Ihc encryption/authentication 
approach established in step 402. Then, in step 422. the 
object data is de -serialized and the method associated 
with the object remotely located in process 210 is exe- 
cuted Finally, the process is complete in step 424 

Although embodiments of the invention have been 
described in the context of encrypting and decrypting 
object data by processes 208. 210. which are effectively 
above all of the layers supported by multi-layered nodes 
202. 204, respectively, data may be encrypted and de- 
crypted at any layer supported by multi-layered nodes 
202, 204, since the encryption ot data is performed be- 
fore the data is written to a stream and is therelore layer- 
independent 

For example, referring again to Figure 1 . according 
to another embodiment ol the invention, process 108 
encrypts data 116 and then writes data 116 to a stream 
(not illustrated) which is lormatted according to the pro- 
tocol hierarchy 112 and transmitted to multi-layered 
node 104 on transmission medium 106. Since data 116 
was encrypted at the siream level, data 1 1 6 may be de- 
crypted at any layer in hierarchy 114. so long as data 
116 can be extracted Irom the data stream. Typically 
the size and post lion ol data 116 wilhin a data chunk is 
known which allows data ll6iobeextiactedfiomadata 
chunk even though the data chunk contains protocol 
specific information from higher layers However, if data 
1 1 6 is encrypted at any other layer in hierarchy 11 2, then 
data 116 must first be decrypted at a corresponding lay- 
er in hierarchy 114. 

According to another embodiment of the invention, 
a siream is connected to several other protocol-specific 
streams to support the broadcasting or multi-casting ol 
encrypied information Figure 5 illustrates an arrange- 
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menl 500 which includes a stream 502 according to an 
embodiment of the invention, connected via connectors 
504. to intelligent converters 506, which convert stream 
502 into protocol-specitic streams 506 such as file l/C. 
object I/O. and socket I/O streams. Conveners 506 have 
the capability to extract the data portion from stream 502 
to support streams 508 at any protocol layer 

According to arrangement 500, any number of pro- 
tocol-specific streams 506 may be connected to stream 
502. In addition, the headers of messages m stream 502 
may contain destination-specific encryption/authentica- 
tion information. For example, stream 502 may contain 
an encryption/authentication value A. while a recipient 
ot one ol the protocol-specific streams 508 holds a key 
value X. making the decryption of stream 502 a function 
ot A and X (key=t(A.X)). Likewise, similar keys may be 
developed tor the other protocol-specific streams 508. 

HARDWARE OVERVIEW 

Figuie 6 is a block diagram which illustrates a com- 
puter system 600 upon which an embodiment of the in- 
vention may be implemented. Computer system 600 in- 
cludes a bus 602 or other communication mechanism 
lor communicating information, and a processor 604 
coupled with bus 602 tor processing information. Com- 
puter system 600 also includes a main memory 606. 
such as a random access memory (RAM) or other dy- 
namic storage device, coupled to bus 602 for storing in- 
formation and instructions to be execuied by processor 
604. Main memory 606 also may be used tor storing 
temporary variables or other intermediate information 
during execution ol instructions by processor 604. Com- 
puter system 600 also includes a read only memory 
(ROM) 608 or other static storage device coupled to bus 
602 tor storing static information and instructions tor 
processor 604 A storage device 610. such as a mag- 
netic disk or optical disk, is also provide and coupled to 
bus 602 tor storing information and instructions. 

Computer system 600 may also be coupled via bus 
602 to a display 612. such as a cathode ray tube (CRT), 
for displaying information to a computer user An input 
device 6 14. including alphanumeric and other keys, is 
also provided and coupled to bus 602 tor communicat- 
ing information and command selections to processor 
604. Another type of user input device is cursor control 
616. such as a mouse, a trackball, or cursor direction 
keys lor communicating direction information and com- 
mand selections to piocessor 604 and tor controlling 
cursor movement on display 612. This input device typ- 
ically has two degrees of freedom in two axes a first 
axis (e.g.. x) and a second axis (e.g.. y). which allows 
the device to specify positions in a plane 

The invention is related to the use ol computer sys- 
tem 600 to provide layer-independent secure network 
communication. According to one embodiment of the in- 
vention layer-independent secure network communica- 
tion is provided by computer system 600 in response to 



processor 604 executing sequences ol instructions con- 
tained tn main memory 606. Such instructions may be 
read into main memory 606 from another computer- 
readable medium, such as storage device 610. Howev- 

s er. the computer-readable medium is not limited to de- 
vices such as storage device 610. For example, the 
computer-readable medium may include a floppy disk, 
a flexible disk, hard disk, magnetic tape, or any other 
magnetic medium, a CD-ROM, any other optical medi- 

io urn. a RAM, a PROM, and EPROM, a FLASH-EPROM. 
any other memory chip or cartridge, or any other medi- 
um Irom which a computer can read. Execution of the 
sequences of instructions contained in main memory 
606 causes processor 504 to perform the process steps 

is previously described. In after native embodiments, hard- 
wired circuitry may be used in place ot or m combination 
with soli ware instructions to implement the invention. 
Thus, embodiments of the invent ion are not limited to 
any specific combination ot hardware circuitry and sott- 

20 ware. 

Computer 600 also includes a communication inter- 
lace 618 coupled to bus 602 Communication interlace 
60B provides a two-way data communication coupling 
to a network link 620 to a local network 622. For exam- 

2S pic, if communication interlace 618 is an integrated 
services digital network (ISDN) card or a modem, com- 
munication interlace 61 8 provides a data communica- 
tion connection to the corresponding type ol telephone 
line If communication interlace 618 is a local area net- 

30 work (LAN) card, communication interlace 618 provides 
a data communication connection to a compatible LAN 
Wireless links are also possible. In any such implemen- 
tation, communication interlace 618 sends and receives 
electrical, electromagnetic or optical signals which carry 

35 digital data streams representing various types of infor- 
mation. 

Network link 620 typically provides data communi- 
cation through one or more networks to other data de- 
vices. For example, network link 620 may provide a con- 

-*o nection through local network 622 to a host computer 
624 or to oata equipment operated by an Internet Serv- 
ice Provider (ISP) 626 ISP 626 in turn provides data 
communication services through the world wide packet 
data communication network now commonly relerred to 

•*$ as the "Internet" 626. Local network 622 and Internet 
626 both use electrical, electromagnetic or optical sig- 
nals wnicn carry digital data streams. The signals 
through the various net woiks and the signals on network 
link 620 and through communication interface 6 15. 

so which carry the digital data to and from computer 600 
are exemplary lorms ot carrier waves transporting the 
information. 

Computer 600 can send messages and receive da- 
ta, including program code, through the networks ) net- 
55 work link 620 and communication interlace 618. In the 
Internet example, a server 630 might transmit a request- 
ed code tor an application program through Internet 628 . 
ISP 626. local network 622 and communication mter- 
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lace 61 8. In accord with the invention, one such down- 
loaded application provides tor the synchront7ation o1 
threads using selective object locking as described 
herein 

The received code may be executed by processor 
604 as it is received, and/or stored in storage device 
610, or other non-volatile storage tor later execution. In 
this manner, computer 600 may obtain application code 
in the lorm ol a carrier wave. 

Although the invention has been described in the 
context ot connection-based communication architec- 
tures, the invention is also applicable to sessionless da- 
tagram or packet based communication architectures 

The invention provides several advantages over 
prior approaches lor implementing secure network com- 
munications. Most importantly, security is implemented 
using streams which are layer independent. This allows 
an encrypted stream to be decrypted at any layer with- 
out requiring the use of layer specific calls to perform 
the decrypiion which provides greater flexibility than pri- 
or approaches. Foi example, an encrypted stream 
transmitted by a sending node may be decrypted by a 
firewall connection at the network (packet) layer having 
knowledge of the encryption approach negotiated dur- 
ing system sciup. Moreover, this approach docs not af- 
fect existing encryption being carried out at various lay- 
ers. The approach of the invention avoids the setup ne- 
gotiation which can significantly degrade communica- 
tion performance in certain situations 

In the foregoing specification, the invention has 
been described with reference to specific embodiments 
thereof. It will, however, be evident that various modifi- 
cations and changes may be made thereto without de- 
parting Irom the broader spirit and scope of the inven- 
tion. The specification and drawings are. accordingly, to 
be regarded in an illustrative rather than a restrictive 
sense. 



Claims 

1 . A method for providing communication protocol-in- 
dependent security for data transmitted between a 
tirsl process, executing on a first network node, and 
a second process, executing on a second networK 
node, wherein the first network node and the sec- 
ond network node each support ai least one com- 
mon communication protocol, the method compris- 
ing the steps ot. 

a) establishing a communication channel be- 
tween the first network node and the second 
network node: 

b) establishing a first stream between the first 
process and the communication channel. 

c) establishing a second stream between the 
second process and the communication chan- 
nel. 



d) encrypting data to be transmitted between 
the first and second processes the encrypting 
of the data being independent of tne at least 
one communication protocol supported by the 

5 first network node. 

e) writing the encrypted data to the first stream; 
t) causing the encrypted data to be transmitted 
from the first network node to the second net- 
work node: 

70 g) reading the encrypted data from the second 

stream: and 

h) decrypting the encrypted data to obtain de- 
crypted data which is identical to the data on 
the first neiwork node before the data was en- . 
i£ crypted 

2. The method ot Claim 1 , further including the steps ot 

a) performing a communication protocol-spe- 
20 cific encryption of the data on the lirst neiwork 

node, and 

b) performing a communication protocol-spe- 
cific decryption ot the data on the second net- 
work node 

2S 

3. The method of Claim 1 . wherein the communication 
channel is a Java secure channel. 

wherein ihe first stream is a first Java stream, 
30 wherein the second stream is a second Java 

stream. 

wherein the step of establishing a communica- 
tion channel between the first and second net- 
work nodes further comprises the step of es- 

35 tablishmg a Java secure channel between the 

first and second network nodes, 
wherein the step of establishing a first stream 
between the first process and the communica- 
tion channel further comprises the step of es- 

40 tablishmg a first Java stream between the first 

process and the Java secure channel, 
wherein the step of establishing a second 
stream oetween the second process and the 
communication channel further comprises the 

-is step ot establishing a second Java stream be- 

tween the secono process and the Java secure 
channel. 

wnerem the slep ol writing Ihe enciypled data 
to the lirst stream lurthei comprises the step of 
so writing ihe encrypted data to the first Java 

stream and 

wnerem the slep of reading the encrypted data 
from the second stream lurthcr comprises the 
step ol reading the encrypted data from the sec- 
55 ond Java stream. 

4. The method of Claim 1 , wherein the communication 
channel is a Java secure channel, wherein the firsl 
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stream is a Java stream 

wherein the second stream is a Java stream, 
wherein the method lurther comprises the step 
of connecting the Java secure channel to a third 5 
Java stream, and 

wherein the third Java stream provides for the 
transmission of data according to a specific 
communication protocol. 

10 

5. A computer -readable medium having stored there- 
on a plurality ot sequences of instructions tor pro- 
viding communication protocol-independent secu- 
rity lor data transmitted between a first process ex- 
ecuting on a lirsi network node, and a second proc- *5 
ess, executing on a second network node, wherein 
the first network node and the second network node 
each support at least one common communication 
protocol, the plurality of sequences of instructions 
including sequences of instructions which, when 20 
executed by one or more processors, cause the one 
or more processors to perform the steps ot: 

a) establishing a communication channel be- 
tween the first network node and the second 2B 
network node: 

b) establishing a first stream between the first 
process and the communication channel: 

c) establishing a second stream between the 
second process and the communication chan- 30 

nel: 

d) encrypting data to be transmitted between 
the first and second processes, the encrypting 
of the data being independent of the communi- 
cation protocols supported by the first network 3$ 
node: 

e) writing the encrypted data to the first stream 

f) causing the encrypted data to be transmitted 
from the first network node to the second net- 
work node: wo 

g) reading the encrypted data from the second 
stream: and 

h) decrypting the encrypted data to obtain de- 
crypted data which is identical to the data on 
the lirsi network node before the data was en- 
crypted 

6. The compulei -readable medium ol Claim 5. where- 
in the computei-ieadable medium lurthef includes 
instructions tor performing the steps of so 

a) performing a communication protocol-spe 
cific encryption of the data on the first nctworK 
node, and 

b) performing a communication protocol-spe- 55 
cifc decryption ol the data on the second net- 
work node 



7. The computer-readable medium of Claim 5 where- 
in the first stream is a first Java si ream 

wnerem the second slream is a second Java 
stream, 

wnerem the step of establishing a communica- 
tion channel between the first and secono net- 
work nodes further comprises the step of es- 
tablishing a Java secure channel between the 
first and second network nodes, 
wnerem the step of establishing a first stream 
between the first process and the communica- 
tion channel further comprises the step ot es- 
tablishing a first Java stream between the first 
process and the Java secure channel, 
wherein the step ol establishing a second 
stream between the second process and the 
communication channel further comprises the 
step ol establishing a second Java stream be- 
tween the second process and the Java secure 
channel. 

wherein the step of writing the encrypted data 
to the first stream turther comprises the step of 
writing the encrypted data to the first Java 
stream, and 

wneretn the step of reading the encrypted data 
from the second stream further comprises the 
step of reading the encrypted data from the sec- 
ond Java stream 

8. The computer-readable medium of Claim 5 where- 
in the communication channel is a Java secure 
channel. 

wherein the first stream is a Java stream, 
wnerem the second stream is a Java stream, 
wnerem the computer-readable medium further 
includes instructions for connecting the Java 
secure channel to a third Java stream, and 
wnerem the third Java stream provides tor the 
transmission of data according to a specific 
communication protocol 

9. A communication network providing communica- 
tion protocol -independent secure communication 
between a first network node and a second network 
node, wherein the first network node and the sec- 
ond network node each support at least one com- 
mon communication protocol, wherein the first net- 
work node is communicatively coupled to the sec- 
ond network node by a communication channel, the 
communication network comprising: 

a) a first process executing on the first network 
node, wnerem the first process provides tor the 
communication protocol-independent encryp- 
tion of data 

b) a first stream which provides for the transfer 
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ol encrypted data between the Itrst process and 
the communication cnannel: 

c) a second process executing on the second 
network node: and 

d) a second stream which provides tor the 
transler ol encrypted data between the commu- 
nication channel and the second process, 
wherein the second process also provides lor 
the decryption ot data which has been encrypt- 
ed by the first process. 

1 0. The communication network of Claim 9. wherein the 
second process further includes the capability to 
decrypt data based upon any communication pro- 
tocol supported by the second network node. 

1 1 . The communication network ol Claim 9, wherein the 
communication channel is a Java secure channel, 
the first stream is a Java stream and the second 
stream is a Java stream. 

12. The communication network of Claim 11. further 
comprising a third Java stream connected to the 
Java secure channel, the third Java stream provid- 
ing for the transmission of data according to a spe- 
cific communication protocol. 

1 3. A computer data signal embodied in a carrier wave 
and representing sequences of instruction which 
when executed by one or more processors, provide 
communication protocol-indepenoenl security lor 
data transmitted between a first process, executing 
on a first network node, and a second process, ex- 
ecuting on a second network node, wherein the first 
network node and the second network node each 
support at least one common communication pro- 
tocol by performing the steps of: 

a) establishing a communication channel be- 
tween the first network node and the second 
network node 

b) establishing a first stream between the first 
process and the communication channel: 

c) establishing a second stream between the 
second process and the communication chan- 
nel: 

d) encrypting data to be transmitted between 
the lirsi and second processes, the encrypting 
of the data being independent of the communi- 
cation protocols supported by the first networK 
node: 

e) writing the encrypted data to the first stream 

f ) causing the encrypted data to be transmitted 
from the first network node to the second net- 
work node: 

g) reading the encrypted data from the second 
stream: and 

h) decrypting the encrypted data to obtain de- 



crypted data which is identical to tne data on 
the first network nooe before the data was en- 
crypted. 

5 14. The computer data signal ot Claim 13. wherein the 
computer sequence ot instructions further includes 
instructions for performing the steps of 

a) performing a communication prolocol-spe- 
w cific encryption of the data on the first network 

node, and 

b) performing a communication protocol-spe- 
cific decryption of the data on the seconc net- 
work node 

15 

15. The computer data signal ot Claim 13. wherein the 
first stream is a first Java stream. 

wherein the second stream is a second Java 

20 stream. 

wherein the step o1 establishing a communica- 
tion channel between the first and second net- 
work nodes further comprises the step ot es- 
tablishing a Java secure channel between the 

2B first and second network nodes. 

wnerein the step ot establishing a first stream 
between the first process and the communica- 
tion channel further comprises the step ot es- 
tablishing a first Java stream between the first 

30 process and the Java secure channel. 

wherein the step ol establishing a second 
stream between the second process and the 
communication channel further comprises the 
step oJ establishing a second Java stream be- 

35 tween the second process and the Java secure 

channel. 

wnerein the step ot writing the encrypted data 
to the first stream further comprises the step ot 
writing the encrypted data to the first Java 
wo stream, and 

wneretn the step ot reading the encrypted data 
from the second stream further comprises the 
step of reading the encrypted data from the sec- 
ond Java stream. 

16. The computer data signal ot Claim 13. wherein the 
communication channel is a Java secure channel. 

wherein the first stream is a Java stieam 
so wherein the second stream is a Java stream 

wherein the computer sequence ot instructions 
further includes instructions for connecting the 
Java secure channel to a third Java stream, and 
wnerein the third Java stream provides tor the 
sb transmission ot data according to a specific 

communication protocol. 

17. A method lor providing communication proiocot-in- 
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dependent security for data transmitted by a proc- 
ess executing on a network node, the method com- 
prising the steps of: 

a) establishing a stream between the process £ 
and a communication channel: 

b) encrypting data to be transmitted by the proc- 
ess, the encrypting ol the data being independ- 
ent of a communication protocol supported by 

the network node; io 

c) writing the encrypted data to the stream: and 

d) causing the encrypted data to be transmitted 
from the network node to the communication 
channel. 

is 

18. The method of Claim 17, wherein the communica- 
tion channel is a Java secure channel, 



wherein the stream is a first Java stream, 
wherein Lhe step ol establishing a stream be- 20 
tween the piocess and the communication 
channel further comprises the step ol establish- 
ing a Java stream between the process and the 
Java secure channel, and 

wherein the step of writing the encrypted data 2* 
to the stream further comprises the step ol writ- 
ing the encrypted data to the Java stream 

19. The method of Claim 17, wherein the communica- 
tion channel is a Java secure channel, wherein the 30 
stream is a Java stream. 



wherein the method further comprises the step 
of connecting the Java secure channel to a sec- 
ond Java stream, and 3S 
wherein the second Java stream provides for 
the transmission of data according to a specific 
communication protocol. 
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(57) A method and apparatus for providing layer-in- 
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work node (200) and a second network node (204). Both 
the first network node and the second network node 
support at least one common communication protocol 
A Java output stream (21 8) is established between a 
first process (206) executing on the first network node 



and the transmission medium. Also, a Java input stream 
(220) is established between a second process (210) 
executing on the second multilayered node and the 
transmission medium. Data to be transmitted from the 
first process to the second process is encrypted by the 
first process and written to the Java output stream The 
data is transmitted to the second network node. Then 
the data is read from the Java input stream by the sec- 
ond process and decrypted 
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